Migrate serialization format to standard PKCS#11 URIs

OpenSC / pkcs11-helper

Library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API and optional OpenSSL engine

Other

65 stars 43 forks source link

Migrate serialization format to standard PKCS#11 URIs #3

Closed dwmw2 closed 9 years ago

dwmw2 commented 9 years ago

This migrates the serialization format to conform to the PKCS#11 URI scheme as described at https://tools.ietf.org/html/draft-pechanec-pkcs11uri-16

The old form is still recognised for compatibility, but standard PKCS#11 URIs are now generated and accepted. Testing with OpenVPN now gives me the following output:

$ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/gnome-keyring-pkcs11.so 

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             DC=com, DC=intel, DC=corp, DC=ger, OU=Workers, CN=Woodhouse, David, emailAddress=david.woodhouse@intel.com
       Serial:         1EB2ECCF00030058F375
       Serialized id:  pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage;id=%59%ae%17%70%af%e8%af%9f%5b%94%fb%c6%89%f6%f1%4c%11%5c%36%0e

... and the PKCS#11 URI thus generated is also usable with the --pkcs11-id option.

alonbl commented 9 years ago

Hi,

Supporting both format is nice, but adding dependency of p11-kit is not something I agree to.

The pkcs11-helper should be minimal wrapper.

So if we can parse this within our code it will be great.

Thanks, Alon

dwmw2 commented 9 years ago

I did consider that, as p11-kit is overkill for just parsing the URIs. However, p11-kit also offers another function — it allows co-ordination of loaded modules by multiple users in the same process, as described at http://p11-glue.freedesktop.org/doc/p11-kit/p11-kit-Modules.html

So although we're only using p11-kit for the URI parsing functionality at the moment, we probably do want to end up using it for loading modules (and for finding the system-configured modules so that the application doesn't have to specify them manually). That's why I was happy to add the p11-kit dependency.

alonbl commented 9 years ago

Not at all, I do not want p11-kit dependency at all. If you find it useful, please use it instead.

As far as I understand pkcs11-helper can load p11-kit that proxy to multiple provider if so required, but this is not required as pkcs11-helper already capable of doing so.

pkcs11-helper is much simpler and comfort to minimal low level PKCS#11 operation.

dwmw2 commented 9 years ago

Ok, I'll look at reimplementing the PKCS#11 URI parsing internally instead of using p11-kit for that.

dwmw2 commented 9 years ago

I don't seem to be able to reopen this having rebased the tree; I'll open a new pull request.